"PHP Composer Flaw That Could Affect Millions of Sites Patched"
A patch has been released for a critical vulnerability in PHP Composer, a tool used for the management and installment of software dependencies in the PHP ecosystem. According to the security researchers at SonarSource, who discovered the flaw, it could leave millions of websites at risk for abuse. Composer is used to make the update process easier and ensure that applications work across different environments and versions. The vulnerability was found in Packagist, which Composer uses to manage PHP package requests. Attackers could cause Composer to download the wrong source code through the exploitation of this vulnerability, potentially leading to the planting of a backdoor on the server running Composer. The vulnerability stems from how Packagist downloads source code from different open-source software libraries to Composer, which allowed the researchers to execute arbitrary systems commands through the Packagist.org server. This article continues to discuss the potential exploitation and impact of the PHP package manager flaw, as well as the importance of securing the Software Development Life Cycle (SDLC).
BankInfoSecurity reports "PHP Composer Flaw That Could Affect Millions of Sites Patched"